hipl and selinux
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HIPL |
New
|
Wishlist
|
Unassigned | ||
selinux (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Figure out how to configure selinux to work with hipl.
---
I have SELINUX=enforcing, SELINUXTYPE=
2.6.27.
---
How did you configure it?
---
hipd_init calls system("ifconfig dummy0 mtu"), but selinux does not allow its
operations:
type=1400 audit(122908747
comm="ifconfig" path="/
scontext=
tcontext=
type=1400 audit(122908747
comm="ifconfig" path="socket:
scontext=
tcontext=
type=1400 audit(122908747
comm="ifconfig" path="socket:
scontext=
tcontext=
type=1400 audit(122908747
comm="ifconfig" path="socket:
scontext=
tcontext=
type=1400 audit(122908747
comm="ifconfig" path="socket:
scontext=
tcontext=
type=1400 audit(122908747
comm="ifconfig" path="socket:
scontext=
tcontext=
type=1400 audit(122908747
comm="ifconfig" path="socket:
scontext=
tcontext=
---
Is it enough to allow dummy0 in selinux?
---
policy like this should help, but it does not look very correct.
allow ifconfig_t initrc_
allow ifconfig_t initrc_
allow ifconfig_t initrc_
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t var_lock_t:file { read write };
---
It is even worse, I get "SELinux: failure in selinux_
parse packet" with ping6 2001:1c:
2001:1c:
2001:1e:
2001:14:
So normally "it works", but fails on some HITs.
[root@aeris ~]# ping6 -c1 2001:14:
PING
2001:14:
data bytes
64 bytes from 2001:14:
time=0.316 ms
--- 2001:14:
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.316/0.
[root@aeris ~]# ping6 -c1 2001:1e:
PING
2001:1e:
data bytes
64 bytes from 2001:1e:
time=0.355 ms
--- 2001:1e:
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.355/0.
[root@aeris ~]# ping6 -c1 2001:1c:
PING 2001:1c:
56 data bytes
64 bytes from 2001:1c:
time=0.351 ms
--- 2001:1c:
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.351/0.
[root@aeris ~]# ping6 -c1 2001:1c:
PING 2001:1c:
56 data bytes
ping: sendmsg: Operation not permitted
^C
--- 2001:1c:
1 packets transmitted, 0 received, 100% packet loss, time 547ms
HA is ESTABLISHED
Local HIT: 2001:001a:
Peer HIT: 2001:0014:
Local LSI: 1.0.0.1
Peer LSI: 1.0.0.7
Local IP: 2001:0708:
Peer IP: 2001:0708:
Peer hostname: hipserver.
HA is ESTABLISHED
Local HIT: 2001:001a:
Peer HIT: 2001:001a:
Local LSI: 1.0.0.1
Peer LSI: 1.0.0.2
Local IP: 0000:0000:
Peer IP: 0000:0000:
Peer hostname: aeris.infrahip.net
HA is ESTABLISHED
Local HIT: 2001:001a:
Peer HIT: 2001:001e:
Local LSI: 1.0.0.1
Peer LSI: 1.0.0.3
Local IP: 2001:0708:
Peer IP: 2001:0708:
Peer hostname:
HA is ESTABLISHED
Local HIT: 2001:001a:
Peer HIT: 2001:001c:
Local LSI: 1.0.0.1
Peer LSI: 1.0.0.6
Local IP: 2001:0708:
Peer IP: 2001:0708:
Peer hostname: ashenvale.
HA is ESTABLISHED
Local HIT: 2001:001a:
Peer HIT: 2001:001e:
Local LSI: 1.0.0.1
Peer LSI: 1.0.0.4
Local IP: 2001:0708:
Peer IP: 2001:0708:
Peer hostname:
HA is ESTABLISHED
Local HIT: 2001:001a:
Peer HIT: 2001:001c:
Local LSI: 1.0.0.1
Peer LSI: 1.0.0.5
Local IP: 193.167.187.149
Peer IP: 193.167.187.26
Peer hostname:
---
From Samu:
Network Labeling: IPSEC/xfrm
• Implicit packet labeling via IPSEC/xfrm.
• Security context stored in xfrm policy rules and states.
• Authorize socket's use of policy based on context.
• Build SAs with context of policy.
• Included in Linux 2.6.16.
• TCP SO_PEERSEC support, UDP SCM_SECURITY
support added in Linux 2.6.17.
---
From Samu:
http://
---
If you manage to get SElinux to work, please include a new section to the
manual on this and document the exact steps on how to make it work. You can
commit directly to the userspace branch,
Samu has a book on SElinux which he promised to bring tomorrow to HIIT, but
there should be plenty of material available in the net.
Changed in hipl: | |
importance: | Undecided → Wishlist |
affects: | ubuntu → selinux (Ubuntu) |
What's the status of this bug?